API token permissions
Permissions are segmented into three categories based on resource:
- Zone permissions
- Account permissions
- User permissions
Each category contains permission groups related to those resources. DNS permissions belong to the Zone category, while Billing permissions belong to the Account category. Below is a list of the available token permissions.
To obtain an updated list of token permissions, including the permission ID and the scope of each permission, use the List permission groups endpoint.
The applicable scope of user permissions is com.cloudflare.api.user.
| Name | Description |
|---|---|
| API Tokens Read | Grants read access to user's API tokens. |
| API Tokens Edit | Grants write access to user's API tokens. |
| Memberships Read | Grants read access to a user's account memberships. |
| Memberships Edit | Grants write access to a user's account memberships. |
| User Details Read | Grants read access to user details. |
| User Details Edit | Grants write access to user details. |
| Name | Description |
|---|---|
| API Tokens Read | Grants read access to user's API tokens. |
| API Tokens Write | Grants write access to user's API tokens. |
| Memberships Read | Grants read access to a user's account memberships. |
| Memberships Write | Grants write access to a user's account memberships. |
| User Details Read | Grants read access to user details. |
| User Details Write | Grants write access to user details. |
The applicable scope of account permissions is com.cloudflare.api.account.
| Name | Description |
| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| Access: Apps and Policies Read | Grants read access to Cloudflare Access applications and policies | resources. |
| Access: Apps and Policies Revoke | Grants ability to revoke Cloudflare Access application tokens |
| Access: Apps and Policies Edit | Grants write access to Cloudflare Access applications and policies |
| Access: Audit Logs Read | Grants read access to Cloudflare Access audit logs. |
| Access: Custom Pages Read | Grants read access to Cloudflare Access custom block pages. |
| Access: Custom Pages Edit | Grants write access to Cloudflare Access custom block pages. |
| Access: Device Posture Read | Grants read access to Cloudflare Access device posture. |
| Access: Device Posture Edit | Grants write access to Cloudflare Access device posture. |
| Access: Mutual TLS Certificates Read | Grants read access to Cloudflare Access mTLS certificates. |
| Access: Mutual TLS Certificates Edit | Grants write access to Cloudflare Access mTLS certificates. |
| Access: Organizations, Identity Providers, and Groups Read | Grants read access to Cloudflare Access account resources. |
| Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to revoke user sessions to Cloudflare Access account resources. |
| Access: Organizations, Identity Providers, and Groups Edit | Grants write access to Cloudflare Access account resources. |
| Access: Service Tokens Read | Grants read access to Cloudflare Access service tokens. |
| Access: Service Tokens Edit | Grants write access to Cloudflare Access service tokens. |
| Access: SSH Auditing Read | Grants read access to Cloudflare Access SSH CAs. |
| Access: SSH Auditing Edit | Grants write access to Cloudflare Access SSH CAs. |
| Account Analytics Read | Grants read access to account analytics. |
| Account Custom Pages Read | Grants read access to account-level Error Pages. |
| Account Custom Pages Edit | Grants write access to account-level Error Pages. |
| Account Filter Lists Read | Grants read access to Account Filter Lists. |
| Account Filter Lists Edit | Grants write access to Account Filter Lists. |
| Account Firewall Access Rules Read | Grants read access to account firewall access rules. |
| Account Firewall Access Rules Edit | Grants write access to account firewall access rules. |
| Account Rulesets Read | Grants read access to Account Rulesets. |
| Account Rulesets Edit | Grants write access to Account Rulesets. |
| Account Settings Read | Grants read access to Account resources, account membership, and account level features. |
| Account Settings Edit | Grants write access to Account resources, account membership, and account level features. |
| Account: SSL and Certificates Read | Grants read access to SSL and Certificates. |
| Account: SSL and Certificates Edit | Grants write access to SSL and Certificates. |
| Account WAF Read | Grants read access to Account WAF. |
| Account WAF Edit | Grants write access to Account WAF. |
| Address Maps Edit | Grants write access to Address Maps |
| Address Maps Read | Grants read access to Address Maps |
| Allow Request Tracer Read | Grants read access to Request Tracer. |
| API Gateway Read | Grants read access to API Gateway (including API Shield) for all domains in an account. |
| API Gateway Edit | Grants write access to API Gateway (including API Shield) for all domains in an account. |
| Billing Read | Grants read access to billing profile, subscriptions, and access to fetch invoices and entitlements. |
| Billing Edit | Grants write access to billing profile, subscriptions, and access to fetch invoices and entitlements. |
| Bulk URL Redirects Read | Grants read access to Bulk Redirects. |
| Bulk URL Redirects Edit | Grants write access to Bulk Redirects. |
| China Network Steering Read | Grants read access to China Network Steering. |
| China Network Steering Edit | Grants write access to China Network Steering. |
| Cloudchamber Read | Grants read access to Cloudchamber deployments. |
| Cloudchamber Edit | Grants write access to Cloudchamber deployments. |
| Cloudflare Realtime Read | Grants read access to Cloudflare Realtime. |
| Cloudflare Realtime Edit | Grants write access to Cloudflare Realtime. |
| Cloudflare DEX Read | Grants read access to Digital Experience Monitoring. |
| Cloudflare DEX Edit | Grants write access to Digital Experience Monitoring. |
| Cloudflare Images Read | Grants read access to Cloudflare Images. |
| Cloudflare Images Edit | Grants write access to Cloudflare Images. |
| Cloudflare One Connector: cloudflared Read | Grants read access to cloudflared connectors |
| Cloudflare One Connector: cloudflared Edit | Grants write access to cloudflared connectors |
| Cloudflare One Connector: WARP Read | Grants read access to WARP Connectors |
| Cloudflare One Connector: WARP Edit | Grants write access to WARP Connectors |
| Cloudflare One Connectors Read | Grants read access to Cloudflare One connectors |
| Cloudflare One Connectors Edit | Grants write access to Cloudflare One connectors |
| Cloudflare One Networks Read | Grants read access to Cloudflare One routes and virtual networks |
| Cloudflare One Networks Edit | Grants write access to Cloudflare One routes and virtual networks |
| Cloudflare Pages Read | Grants access to view Cloudflare Pages projects. |
| Cloudflare Pages Edit | Grants access to create, edit and delete Cloudflare Pages projects. |
| Cloudflare Tunnel Read | Grants access to view Cloudflare Tunnels. |
| Cloudflare Tunnel Edit | Grants access to create and delete Cloudflare Tunnels. |
| Cloudforce One Read | Grants read access to Cloudforce One. |
| Cloudforce One Edit | Grants write access to Cloudforce One. |
| Email Security Read | Grants read access to Cloud Email Security. |
| Email Security Edit | Grants write access to Email Security. |
| Constellation Read | Grants read access to Constellation. |
| Constellation Edit | Grants write access to Constellation. |
| Containers Read | Grants read access to Containers. |
| Containers Edit | Grants write access to Containers. |
| D1 Read | Grants read access to D1. |
| D1 Edit | Grants write access to D1. |
| DDoS Botnet Feed Read | Grants read access to Botnet Feed reports. |
| DDoS Botnet Feed Edit | Grants write access to Botnet Feed configuration. |
| DDoS Protection Read | Grants read access to DDoS protection. |
| DDoS Protection Edit | Grants write access to DDoS protection. |
| DNS Firewall Read | Grants read access to DNS Firewall. |
| DNS Firewall Edit | Grants write access to DNS Firewall. |
| Email Routing Addresses Read | Grants read access to Email Routing Addresses. |
| Email Routing Addresses Edit | Grants write access to Email Routing Addresses. |
| Hyperdrive Read | Grants read access to Hyperdrive. |
| Hyperdrive Edit | Grants write access to Hyperdrive. |
| Intel Read | Grants read access to Intel. |
| Intel Edit | Grants write access to Intel. |
| Integration Edit | Grants write access to integrations. |
| IOT Read | Grants read access to IOT ↗. |
| IOT Edit | Grants write access to IOT ↗. |
| IP Prefixes: Read | Grants access to read IP prefix settings. |
| IP Prefixes: Edit | Grants access to read/write IP prefix settings. |
| IP Prefixes: BGP On Demand Read | Grants access to read IP prefix BGP configuration. |
| IP Prefixes: BGP On Demand Edit | Grants access to read and change IP prefix BGP configuration. |
| L3/4 DDoS Managed Ruleset Read | Grants read access to L3/4 DDoS managed ruleset. |
| L3/4 DDoS Managed Ruleset Edit | Grants write access to L3/4 DDoS managed ruleset. |
| Load Balancing: Monitors and Pools Read | Grants read access to account level load balancer resources. |
| Load Balancing: Monitors and Pools Edit | Grants write access to account level load balancer resources. |
| Logs Read | Grants read access to logs using Logpull or Instant Logs. |
| Logs Edit | Grants read and write access to Logpull, Logpush, and Instant Logs. |
| Magic Firewall Read | Grants read access to Magic Firewall. |
| Magic Firewall Edit | Grants write access to Magic Firewall. |
| Magic Firewall Packet Captures Read | Grants read access to Packet Captures. |
| Magic Firewall Packet Captures Edit | Grants write access to Packet Captures. |
| Magic Network Monitoring Read | Grants read access to Magic Network Monitoring. |
| Magic Network Monitoring Edit | Grants write access to Magic Network Monitoring. |
| Magic Transit Read | Grants read access to manage a user's Magic Transit prefixes. |
| Magic Transit Edit | Grants write access to manage a user's Magic Transit prefixes. |
| Notifications Read | Grants read access to Notifications. |
| Notifications Edit | Grants write access to Notifications. |
| Page Shield Read | Grants read access to Page Shield. |
| Page Shield Edit | Grants write access to Page Shield. |
| Workers Pipelines Read | Grants read access to Cloudflare Pipelines. |
| Workers Pipelines Edit | Grants write access to Cloudflare Pipelines. |
| Pub/Sub Read | Grants read access to Pub/Sub. |
| Pub/Sub Edit | Grants write access to Pub/Sub. |
| Queues Read | Grants read access to Queues. |
| Queues Edit | Grants write access to Queues. |
| Rule Policies Read | Grants read access to Rule Policies. |
| Rule Policies Edit | Grants write access to Rule Policies. |
| Stream Read | Grants read access to Cloudflare Stream. |
| Stream Edit | Grants write access to Cloudflare Stream. |
| Transform Rules Read | Grants read access to Transform Rules. |
| Transform Rules Edit | Grants write access to Transform Rules. |
| Turnstile Read | Grants read access to Turnstile. |
| Turnstile Edit | Grants write access to Turnstile. |
| URL Scanner Read | Grants read access to URL Scanner. |
| URL Scanner Edit | Grants write access to URL Scanner. |
| Vectorize Read | Grants read access to Vectorize. |
| Vectorize Edit | Grants write access to Vectorize. |
| Workers AI Read | Grants read access to Workers AI. |
| Workers AI Edit | Grants write access to Workers AI. |
| Workers CI Read | Grants read access to Workers CI. |
| Workers CI Edit | Grants write access to Workers CI. |
| Workers KV Storage Read | Grants read access to Cloudflare Workers KV Storage. |
| Workers KV Storage Edit | Grants write access to Cloudflare Workers KV Storage. |
| Workers R2 Storage Read | Grants read access to Cloudflare R2 Storage. |
| Workers R2 Storage Edit | Grants write access to Cloudflare R2 Storage. |
| Workers Scripts Read | Grants read access to Cloudflare Workers scripts. |
| Workers Scripts Edit | Grants write access to Cloudflare Workers scripts. |
| Workers Tail Read | Grants wrangler tail read permissions. |
| Zero Trust Read | Grants read access to Cloudflare Zero Trust resources. |
| Zero Trust Report | Grants reporting access to Cloudflare Zero Trust. |
| Zero Trust Edit | Grants write access to Cloudflare Zero Trust resources. |
| Zero Trust: PII Read | Grants read access to Cloudflare Zero Trust PII. |
| Zero Trust: Seats Edit | Grants write access to the number of Zero Trust seats your organization can use (and be billed for). |
| Name | Description |
| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| Access: Apps and Policies Read | Grants read access to Cloudflare Access applications and policies | resources. |
| Access: Apps and Policies Revoke | Grants ability to revoke Cloudflare Access application tokens |
| Access: Apps and Policies Write | Grants write access to Cloudflare Access applications and policies |
| Access: Audit Logs Read | Grants read access to Cloudflare Access audit logs. |
| Access: Custom Pages Read | Grants read access to Cloudflare Access custom block pages. |
| Access: Custom Pages Write | Grants write access to Cloudflare Access custom block pages. |
| Access: Device Posture Read | Grants read access to Cloudflare Access device posture. |
| Access: Device Posture Write | Grants write access to Cloudflare Access device posture. |
| Access: Mutual TLS Certificates Read | Grants read access to Cloudflare Access mTLS certificates. |
| Access: Mutual TLS Certificates Write | Grants write access to Cloudflare Access mTLS certificates. |
| Access: Organizations, Identity Providers, and Groups Read | Grants read access to Cloudflare Access account resources. |
| Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to revoke user sessions to Cloudflare Access account resources. |
| Access: Organizations, Identity Providers, and Groups Write | Grants write access to Cloudflare Access account resources. |
| Access: Service Tokens Read | Grants read access to Cloudflare Access service tokens. |
| Access: Service Tokens Write | Grants write access to Cloudflare Access service tokens. |
| Access: SSH Auditing Read | Grants read access to Cloudflare Access SSH CAs. |
| Access: SSH Auditing Write | Grants write access to Cloudflare Access SSH CAs. |
| Account Analytics Read | Grants read access to account analytics. |
| Account Custom Pages Read | Grants read access to account-level Error Pages. |
| Account Custom Pages Write | Grants write access to account-level Error Pages. |
| Account Rule Lists Read | Grants read access to Account Filter Lists. |
| Account Rule Lists Write | Grants write access to Account Filter Lists. |
| Account Firewall Access Rules Read | Grants read access to account firewall access rules. |
| Account Firewall Access Rules Write | Grants write access to account firewall access rules. |
| Account Rulesets Read | Grants read access to Account Rulesets. |
| Account Rulesets Write | Grants write access to Account Rulesets. |
| Account Settings Read | Grants read access to Account resources, account membership, and account level features. |
| Account Settings Write | Grants write access to Account resources, account membership, and account level features. |
| Account: SSL and Certificates Read | Grants read access to SSL and Certificates. |
| Account: SSL and Certificates Write | Grants write access to SSL and Certificates. |
| Account WAF Read | Grants read access to Account WAF. |
| Account WAF Write | Grants write access to Account WAF. |
| Address Maps Write | Grants write access to Address Maps |
| Address Maps Read | Grants read access to Address Maps |
| Allow Request Tracer Read | Grants read access to Request Tracer. |
| Account API Gateway Read | Grants read access to API Gateway (including API Shield) for all domains in an account. |
| Account API Gateway Write | Grants write access to API Gateway (including API Shield) for all domains in an account. |
| Billing Read | Grants read access to billing profile, subscriptions, and access to fetch invoices and entitlements. |
| Billing Write | Grants write access to billing profile, subscriptions, and access to fetch invoices and entitlements. |
| Mass URL Redirects Read | Grants read access to Bulk Redirects. |
| Mass URL Redirects Write | Grants write access to Bulk Redirects. |
| China Network Steering Read | Grants read access to China Network Steering. |
| China Network Steering Write | Grants write access to China Network Steering. |
| Cloudchamber Read | Grants read access to Cloudchamber deployments. |
| Cloudchamber Write | Grants write access to Cloudchamber deployments. |
| Realtime Read | Grants read access to Cloudflare Realtime. |
| Realtime Write | Grants write access to Cloudflare Realtime. |
| Cloudflare DEX Read | Grants read access to Digital Experience Monitoring. |
| Cloudflare DEX Write | Grants write access to Digital Experience Monitoring. |
| Images Read | Grants read access to Cloudflare Images. |
| Images Write | Grants write access to Cloudflare Images. |
| Cloudflare One Connector: cloudflared Read | Grants read access to cloudflared connectors |
| Cloudflare One Connector: cloudflared Write | Grants write access to cloudflared connectors |
| Cloudflare One Connector: WARP Read | Grants read access to WARP Connectors |
| Cloudflare One Connector: WARP Write | Grants write access to WARP Connectors |
| Cloudflare One Connectors Read | Grants read access to Cloudflare One connectors |
| Cloudflare One Connectors Write | Grants write access to Cloudflare One connectors |
| Cloudflare One Networks Read | Grants read access to Cloudflare One routes and virtual networks |
| Cloudflare One Networks Write | Grants write access to Cloudflare One routes and virtual networks |
| Pages Read | Grants access to view Cloudflare Pages projects. |
| Pages Write | Grants access to create, edit and delete Cloudflare Pages projects. |
| Cloudflare Tunnel Read | Grants access to view Cloudflare Tunnels. |
| Cloudflare Tunnel Write | Grants access to create and delete Cloudflare Tunnels. |
| Cloudforce One Read | Grants read access to Cloudforce One. |
| Cloudforce One Write | Grants write access to Cloudforce One. |
| Cloud Email Security: Read | Grants read access to Cloud Email Security. |
| Cloud Email Security: Write | Grants write access to Email Security. |
| Constellation Read | Grants read access to Constellation. |
| Constellation Write | Grants write access to Constellation. |
| Containers Read | Grants read access to Containers. |
| Containers Write | Grants write access to Containers. |
| D1 Read | Grants read access to D1. |
| D1 Write | Grants write access to D1. |
| DDoS Botnet Feed Read | Grants read access to Botnet Feed reports. |
| DDoS Botnet Feed Write | Grants write access to Botnet Feed configuration. |
| DDoS Protection Read | Grants read access to DDoS protection. |
| DDoS Protection Write | Grants write access to DDoS protection. |
| DNS Firewall Read | Grants read access to DNS Firewall. |
| DNS Firewall Write | Grants write access to DNS Firewall. |
| Email Routing Addresses Read | Grants read access to Email Routing Addresses. |
| Email Routing Addresses Write | Grants write access to Email Routing Addresses. |
| Hyperdrive Read | Grants read access to Hyperdrive. |
| Hyperdrive Write | Grants write access to Hyperdrive. |
| Intel Read | Grants read access to Intel. |
| Intel Write | Grants write access to Intel. |
| Integration Write | Grants write access to integrations. |
| IOT Read | Grants read access to IOT ↗. |
| IOT Write | Grants write access to IOT ↗. |
| IP Prefixes: Read | Grants access to read IP prefix settings. |
| IP Prefixes: Write | Grants access to read/write IP prefix settings. |
| IP Prefixes: BGP On Demand Read | Grants access to read IP prefix BGP configuration. |
| IP Prefixes: BGP On Demand Write | Grants access to read and change IP prefix BGP configuration. |
| L4 DDoS Managed Ruleset Read | Grants read access to L3/4 DDoS managed ruleset. |
| L4 DDoS Managed Ruleset Write | Grants write access to L3/4 DDoS managed ruleset. |
| Load Balancing: Monitors and Pools Read | Grants read access to account level load balancer resources. |
| Load Balancing: Monitors and Pools Write | Grants write access to account level load balancer resources. |
| Logs Read | Grants read access to logs using Logpull or Instant Logs. |
| Logs Write | Grants read and write access to Logpull, Logpush, and Instant Logs. |
| Magic Firewall Read | Grants read access to Magic Firewall. |
| Magic Firewall Write | Grants write access to Magic Firewall. |
| Magic Firewall Packet Captures - Read PCAPs API | Grants read access to Packet Captures. |
| Magic Firewall Packet Captures - Write PCAPs API | Grants write access to Packet Captures. |
| Magic Network Monitoring Read | Grants read access to Magic Network Monitoring. |
| Magic Network Monitoring Write | Grants write access to Magic Network Monitoring. |
| Magic Transit Read | Grants read access to manage a user's Magic Transit prefixes. |
| Magic Transit Write | Grants write access to manage a user's Magic Transit prefixes. |
| Notifications Read | Grants read access to Notifications. |
| Notifications Write | Grants write access to Notifications. |
| Page Shield Read | Grants read access to Page Shield. |
| Page Shield Write | Grants write access to Page Shield. |
| Pipelines Read | Grants read access to Cloudflare Pipelines. |
| Pipelines Write | Grants write access to Cloudflare Pipelines. |
| Pubsub Configuration Read | Grants read access to Pub/Sub. |
| Pubsub Configuration Write | Grants write access to Pub/Sub. |
| Queues Read | Grants read access to Queues. |
| Queues Write | Grants write access to Queues. |
| Rule Policies Read | Grants read access to Rule Policies. |
| Rule Policies Write | Grants write access to Rule Policies. |
| Stream Read | Grants read access to Cloudflare Stream. |
| Stream Write | Grants write access to Cloudflare Stream. |
| Transform Rules Read | Grants read access to Transform Rules. |
| Transform Rules Write | Grants write access to Transform Rules. |
| Turnstile Sites Read | Grants read access to Turnstile. |
| Turnstile Sites Write | Grants write access to Turnstile. |
| URL Scanner Read | Grants read access to URL Scanner. |
| URL Scanner Write | Grants write access to URL Scanner. |
| Vectorize Read | Grants read access to Vectorize. |
| Vectorize Write | Grants write access to Vectorize. |
| Workers AI Read | Grants read access to Workers AI. |
| Workers AI Write | Grants write access to Workers AI. |
| Workers CI Read | Grants read access to Workers CI. |
| Workers CI Write | Grants write access to Workers CI. |
| Workers KV Storage Read | Grants read access to Cloudflare Workers KV Storage. |
| Workers KV Storage Write | Grants write access to Cloudflare Workers KV Storage. |
| Workers R2 Storage Read | Grants read access to Cloudflare R2 Storage. |
| Workers R2 Storage Write | Grants write access to Cloudflare R2 Storage. |
| Workers Scripts Read | Grants read access to Cloudflare Workers scripts. |
| Workers Scripts Write | Grants write access to Cloudflare Workers scripts. |
| Workers Tail Read | Grants wrangler tail read permissions. |
| Zero Trust Read | Grants read access to Cloudflare Zero Trust resources. |
| Zero Trust Report | Grants reporting access to Cloudflare Zero Trust. |
| Zero Trust Write | Grants write access to Cloudflare Zero Trust resources. |
| Zero Trust: PII Read | Grants read access to Cloudflare Zero Trust PII. |
| Zero Trust: Seats Write | Grants write access to the number of Zero Trust seats your organization can use (and be billed for). |
The applicable scope of zone permissions is com.cloudflare.api.account.zone.
| Name | Description |
|---|---|
| Access: Apps and Policies Read | Grants read access to Cloudflare Access zone resources. |
| Access: Apps and Policies Revoke | Grants ability to revoke all tokens to Cloudflare Access zone resources. |
| Access: Apps and Policies Edit | Grants write access to Cloudflare Access zone resources. |
| Analytics Read | Grants read access to analytics. |
| API Gateway Read | Grants read access to API Gateway zone resources. |
| API Gateway Edit | Grants write access to API Gateway zone resources. |
| Apps Edit | Grants full access to Cloudflare Apps (deprecated, refer to Workers instead). |
| Bot Management Read | Grants read access to Bot Management. |
| Bot Management Edit | Grants write access to Bot Management. |
| Bot Management Feedback Read | Grants read access to Bot Management feedback. |
| Bot Management Feedback Edit | Grants write access to Bot Management feedback. |
| Cache Purge | Grants access to purge cache. |
| Cache Rules Read | Grants read access to Cache Rules. |
| Cache Rules Edit | Grants write access to Cache Rules. |
| Cloud Connector Read | Grants read access to Cloud Connector rules. |
| Cloud Connector Edit | Grants write access to Cloud Connector rules. |
| Config Rules Read | Grants read access to Configuration Rules. |
| Config Rules Edit | Grants write access to Configuration Rules. |
| Custom Error Rules Read | Grants read access to Custom Error Rules. |
| Custom Error Rules Edit | Grants write access to Custom Error Rules. |
| Custom Pages Read | Grants read access to Custom Error Pages. |
| Custom Pages Edit | Grants write access to Custom Error Pages. |
| Dmarc Management Read | Grants read access to DMARC Management. |
| Dmarc Management Edit | Grants write access to DMARC Management. |
| DNS Read | Grants read access to DNS. |
| DNS Write | Grants write access to DNS. |
| Email Routing Rules Read | Grants read access to Email Routing Rules. |
| Email Routing Rules Edit | Grants write access to Email Routing Rules. |
| Firewall Services Read | Grants read access to Firewall resources. |
| Firewall Services Edit | Grants write access to Firewall resources. |
| Health Checks Read | Grants read access to Health Checks. |
| Health Checks Edit | Grants write access to Health Checks. |
| HTTP DDoS Managed Ruleset Read | Grants read access to HTTP DDoS managed ruleset. |
| HTTP DDoS Managed Ruleset Edit | Grants write access to HTTP DDoS managed ruleset. |
| Load Balancers Read | Grants read access to load balancer resources. |
| Load Balancers Edit | Grants write access to load balancer resources. |
| Logs Read | Grants read access to logs using Logpull. |
| Logs Edit | Grants write access to Logpull and Logpush. |
| Managed Headers Read | Grants read access to Managed Headers. |
| Managed Headers Edit | Grants write access to Managed Headers. |
| Origin Rules Read | Grants read access to Origin Rules. |
| Origin Rules Edit | Grants write access to Origin Rules. |
| Page Rules Read | Grants read access to Page Rules. |
| Page Rules Edit | Grants write access to Page Rules. |
| Page Shield Read | Grants read access to Page Shield. |
| Page Shield Edit | Grants write access to Page Shield. |
| Response Compression Read | Grants read access to Response Compression. |
| Response Compression Edit | Grants write access to Response Compression. |
| Sanitize Read | Grants read access to sanitization. |
| Sanitize Edit | Grants write access to sanitization. |
| Single Redirect Read | Grants read access to zone-level Single Redirects. |
| Single Redirect Edit | Grants write access to zone-level Single Redirects. |
| SSL and Certificates Read | Grants read access to SSL configuration and certificate management. |
| SSL and Certificates Edit | Grants write access to SSL configuration and certificate management. |
| Transform Rules Read | Grants read access to Transform Rules. |
| Transform Rules Edit | Grants write access to Transform Rules. |
| Waiting Room Read | Grants read access to Waiting Room. |
| Waiting Room Edit | Grants write access to Waiting Room. |
| Web3 Hostnames Read | Grants read access to Web3 Hostnames. |
| Web3 Hostnames Edit | Grants write access to Web3 Hostnames. |
| Workers Routes Read | Grants read access to Cloudflare Workers and Workers KV Storage. |
| Workers Routes Edit | Grants write access to Cloudflare Workers and Workers KV Storage. |
| Zaraz Read | Grants read access to Zaraz zone level settings. |
| Zaraz Edit | Grants write access to Zaraz zone level settings. |
| Zone Read | Grants read access to zone management. |
| Zone Edit | Grants write access to zone management. |
| Zone Settings Read | Grants read access to zone settings. |
| Zone Settings Edit | Grants write access to zone settings. |
| Zone Versioning Read | Grants read access to Zone Versioning at zone level. |
| Zone Versioning Edit | Grants write access to Zone Versioning at zone level. |
| Zone WAF Read | Grants read access to Zone WAF. |
| Zone WAF Edit | Grants write access to Zone WAF. |
| Name | Description |
|---|---|
| Access: Apps and Policies Read | Grants read access to Cloudflare Access zone resources. |
| Access: Apps and Policies Revoke | Grants ability to revoke all tokens to Cloudflare Access zone resources. |
| Access: Apps and Policies Write | Grants write access to Cloudflare Access zone resources. |
| Analytics Read | Grants read access to analytics. |
| Domain API Gateway Read | Grants read access to API Gateway zone resources. |
| Domain API Gateway Write | Grants write access to API Gateway zone resources. |
| Apps Write | Grants full access to Cloudflare Apps (deprecated, refer to Workers instead). |
| Bot Management Read | Grants read access to Bot Management. |
| Bot Management Write | Grants write access to Bot Management. |
| Bot Management Feedback Read | Grants read access to Bot Management feedback. |
| Bot Management Feedback Write | Grants write access to Bot Management feedback. |
| Cache Purge | Grants access to purge cache. |
| Cache Settings Read | Grants read access to Cache Rules. |
| Cache Settings Write | Grants write access to Cache Rules. |
| Cloud Connector Read | Grants read access to Cloud Connector rules. |
| Cloud Connector Write | Grants write access to Cloud Connector rules. |
| Config Settings Read | Grants read access to Configuration Rules. |
| Config Settings Write | Grants write access to Configuration Rules. |
| Custom Errors Read | Grants read access to Custom Error Rules. |
| Custom Errors Write | Grants write access to Custom Error Rules. |
| Custom Pages Read | Grants read access to Custom Error Pages. |
| Custom Pages Write | Grants write access to Custom Error Pages. |
| Email Security DMARC Reports Read | Grants read access to DMARC Management. |
| Email Security DMARC Reports Write | Grants write access to DMARC Management. |
| DNS Read | Grants read access to DNS. |
| DNS Write | Grants write access to DNS. |
| Email Routing Rules Read | Grants read access to Email Routing Rules. |
| Email Routing Rules Write | Grants write access to Email Routing Rules. |
| Firewall Services Read | Grants read access to Firewall resources. |
| Firewall Services Write | Grants write access to Firewall resources. |
| Health Checks Read | Grants read access to Health Checks. |
| Health Checks Write | Grants write access to Health Checks. |
| HTTP DDoS Managed Ruleset Read | Grants read access to HTTP DDoS managed ruleset. |
| HTTP DDoS Managed Ruleset Write | Grants write access to HTTP DDoS managed ruleset. |
| Load Balancers Read | Grants read access to load balancer resources. |
| Load Balancers Write | Grants write access to load balancer resources. |
| Logs Read | Grants read access to logs using Logpull. |
| Logs Write | Grants write access to Logpull and Logpush. |
| Managed headers Read | Grants read access to Managed Headers. |
| Managed headers Write | Grants write access to Managed Headers. |
| Origin Read | Grants read access to Origin Rules. |
| Origin Write | Grants write access to Origin Rules. |
| Page Rules Read | Grants read access to Page Rules. |
| Page Rules Write | Grants write access to Page Rules. |
| Domain Page Shield Read | Grants read access to Page Shield. |
| Domain Page Shield Write | Grants write access to Page Shield. |
| Response Compression Read | Grants read access to Response Compression. |
| Response Compression Write | Grants write access to Response Compression. |
| Sanitize Read | Grants read access to sanitization. |
| Sanitize Write | Grants write access to sanitization. |
| Dynamic URL Redirects Read | Grants read access to zone-level Single Redirects. |
| Dynamic URL Redirects Write | Grants write access to zone-level Single Redirects. |
| SSL and Certificates Read | Grants read access to SSL configuration and certificate management. |
| SSL and Certificates Write | Grants write access to SSL configuration and certificate management. |
| Zone Transform Rules Read | Grants read access to Transform Rules. |
| Zone Transform Rules Write | Grants write access to Transform Rules. |
| Waiting Rooms Read | Grants read access to Waiting Room. |
| Waiting Rooms Write | Grants write access to Waiting Room. |
| Web3 Hostnames Read | Grants read access to Web3 Hostnames. |
| Web3 Hostnames Write | Grants write access to Web3 Hostnames. |
| Workers Routes Read | Grants read access to Cloudflare Workers and Workers KV Storage. |
| Workers Routes Write | Grants write access to Cloudflare Workers and Workers KV Storage. |
| Zaraz Read | Grants read access to Zaraz zone level settings. |
| Zaraz Write | Grants write access to Zaraz zone level settings. |
| Zone Read | Grants read access to zone management. |
| Zone Write | Grants write access to zone management. |
| Zone Settings Read | Grants read access to zone settings. |
| Zone Settings Write | Grants write access to zone settings. |
| Zone Versioning Read | Grants read access to Zone Versioning at zone level. |
| Zone Versioning Write | Grants write access to Zone Versioning at zone level. |
| Zone WAF Read | Grants read access to Zone WAF. |
| Zone WAF Write | Grants write access to Zone WAF. |
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark